About Me

Hello, my name is Thomas Cope and I currently work as the Chief Security Officer at Next DLP. I manage the end to end Security of our Enterprise DLP product (from design, threat model, SDLC, release and support) alongside managing the PSIRT & Product Security teams and our ISO 27001 certification. Before joining Next DLP I worked for eight years as a Cloud Cyber Security Architect at IBM while studying part-time at Oxford University for a Master’s Degree in Software and Systems Security.

I am an experienced Security Architect and Systems Engineer with a passion for designing, building and maintaining secure systems, processes and teams. I have strong experience in both Cloud and containerized (Docker / Kubernetes) platforms while working in DevSecOps environments. I enjoy programming and electronics in my spare time - you can learn more in the “Projects” sections below. I have a keen interest in Security and Cryptography. I enjoy designing and building secure systems / software as well as performing security research on pre-existing systems / software. I am CISSP Certified as well as a Redhat Linux System Engineer. I use these skills extensively at work and for the support of this server which is used to host both myself, and a friend’s projects (Server Status).

In my spare time, I am a STEM Ambassador and an Associational (MBCS) Member of the British Computer Society. I play games such as TF2, Counter-Strike, Valorant, Minecraft. Avid runner and enjoy good game of Badminton. Also enjoy Skiing when I get the chance. Feel free to drop me a line either on my Linkedin or GitHub or Youtube.

Blog posts

Some of my ramblings:

Spark Presentation

I presented at a local school about the benefits of a career in cybersecurity.

(Posted on 13 February 2023 · 1 min read)

Cambridge Presentation

I presented at Cambridge University a talk on “That’s expensively weird - a deep dive into cloud incident response”. The talk went into threat modeling, the importance of code review,…

(Posted on 07 January 2023 · 1 min read)

Data Protection Fireside Chat

A Christmas themed fireside chat video reviewing the Data protection space in 2022 and predictions for 2023.

(Posted on 15 December 2022 · 1 min read)

ISO 27001:2022 Blog Post

A blog post I made about my thoughts on Data Protection within the new ISO 27001 2022 standard.

(Posted on 02 December 2022 · 1 min read)

Places I’ve been quoted

Living document of places I’ve been quoted when asked to comment on Cyber-security News

(Posted on 01 December 2022 · 1 min read)

Cranford Careers Fair

I attended the Cranford Community College Careers fair alongside my Colleague Robbie representing Next DLP (with the recent re-branding we were using our old “Qush” banners) to provide students with…

(Posted on 21 November 2022 · 1 min read)

BSides Basingstoke Presentation

I was invited to BSides Basingstoke where I presented a talk guiding the audience through my own practical security research experience developing CVE-2020-5014. I walk through the process of information…

(Posted on 15 July 2022 · 1 min read)

Newcastle University Presentation

I presented my talk “From Zero to SSRF to RCE and back again” to the Newcastle University Competitive Computer Science Society, in the talk I explain “Ethical Hacking Journey -…

(Posted on 21 May 2022 · 1 min read)

IBM HMC Exploit CVE-2021-29707

During some security research I discovered a method in which the local user account restricted in the HMC shell could be uses to escalate privilege to root access. The post…

(Posted on 19 July 2021 · 9 mins read)

X Series RAID Card Stuck Boot

I was able to acquire a second hand IBM System x3650 M4 BD (5466). I wanted to replace the ServeRAID card with a “ServeRAID M1015 LSI 9220-8i 6GB SAS SATA…

(Posted on 28 January 2021 · 2 mins read)

IBM Datapower Exploit CVE-2020-5014

During some personal security research I discovered a SSRF vulnerability in IBM Datapower which could then be upgraded to RCE. The practical upshot of which is with an authenticated session…

(Posted on 21 October 2020 · 3 mins read)

Debugging Valorant

I had quite a few issues getting Riot Games new first person shooter Valorant running on my laptop. This is a brief post to cover some of the techniques I…

(Posted on 17 July 2020 · 6 mins read)

NahamCon CTF (2020)

I took place in NahamCon CTF. It was a two day event but I was only able to make it for the last 1/2 of the last day. I scored…

(Posted on 13 June 2020 · 6 mins read)

Docker setuid & setgid weirdness

During some work on a project I came across some strange behaviour on how docker handles setuid & setgid. In Linux the setuid and setgid C calls are used to…

(Posted on 20 February 2020 · 8 mins read)

Zip Encryption Known Plain Text Attack

In this post I would like to highlight a really old flaw with the encryption used by the zip file format. This is a known text attack based on the…

(Posted on 05 December 2019 · 4 mins read)

Quick and Dirty Reverse Engineering

A while ago I had to work with a particularly frustrating application that was required to connect to a hardware appliance. Both of which will remain unnamed in this post….

(Posted on 15 November 2019 · 5 mins read)

Oxford Foundry CTF (2019)

The Oxford Competitive Computer Society hosted a Capture the Flag event which was great fun, I ranked third on the scoreboard. Below are my favorite challenges with a video of…

(Posted on 09 June 2019 · 1 min read)

Projects

A selection of my favorite projects:

boTTom

Tom’s Bot or Bot Tom - A Reliable Secure Simple Easy to Deploy Cross Platform Botnet

I’ve always had an interest in botnets, from Mirai to Emotet, this side project is my own botnet creation used to test out new ideas and learn more about what it takes to build a botnet, how they can be taken down and how to best approach them.

ssh_ws

Homegrown implementation of Google Beyond Corp security system (Zero Trust)

This is a demonstration of a proof of concept I built to tunnel ssh traffic over web-sockets using the same system Google uses (Zero Trust) to secure SSH access. It used JWT, mTLS and OAuth. I build both a client and server application to achieve this.

bad_scp

A Proof of Concept of the Linux command ‘scp’ client side vulnerabilities (CVE-2019-6111 + CVE-2019-6110)

I reversed engineered and created a practical demo of the the CVE-2019-6111 + CVE-2019-6110 vulnerabilities

Reading-List

A collection of articles I’ve read and enjoyed

A collection of articles I’ve read and enjoyed

MSc in Software and Systems Security

Details of my Master Degree, chosen Modules and Dissertation

I attended Oxford University for a MSc in Software and Systems Security. This page details the 3 software and 7 security modules I attended along with a explanation of my dissertation.

Photography

A collection of random photos

I would not describe myself as a photographer or the kind of chap to have an instagram, but I do enjoy taking photos, so I thought I’d put a few of my faves on here.

Beans

A simple REST API Based Game

A REST API Game where the objective is to have the most beans by the end of the day

New PC

Building my new PC!

Details about my new PC, its specs and some cool photos!

bash_bunny - scvtrs

Simple Cross platform Volatile TCP Reverse Shell using a Bash Bunny

Using the Bash Bunny from Hak5 I build payload that can determin the Host OS using p0f and then deliver the required payload

Pastejacking 2

A expansion on the original pastejacking attack using bash tricks

This is a demo of a new pastejacking attack using bash and command link tricks to fool the user into executing malicious code.

Arduino Minecraft Monitor

A helpful Arduino Library for polling Minecraft Servers

A custom made Arduino library to query a Minecraft server using the bespoke UDP query API.

Arduino Door Lock

Fingerprint and Android Style Pattern Lock

A Arduino door lock using a Fingerprint scanner and a 7 inch touch screen.

Golang Screen Saver

A snake style terminal screen saver written in Golang

A really simple terminal screen saver written in Golang using the tput library.

OpenCV Recorder

A simple but customizable WebCAM recorder using openCV.

A companion application to the TSTP, that allows for openCV videos to be saved and then played back.

Arduino Iron Key

A Arduino based portable secure memory stick.

I recreated the functionality of a hardware encrypted memory stick (such as ‘IronKey’ or ‘Datashur’) using the Arduino micro-controller and a SD card shield.

TSTP

Toms Sentry Tracking Program

This is the 3rd incarnation on my Sentry Tracking program. Using opencv and C++, this project dynamically scans a webcam or video feed and tracks one or more targets

TVBG

Toms Very Basic Game

One of the largest program I’ve written. A simple space shooter written in C++ using OpenGL and a custom made game engine.

TVTS

Toms Vehicle Tracking System (Arduino GPS)

A Arduino based GPS and GRSM Tracking System using a custom built library for the Maplin GSMShield. The Arduino acquires a GPS lock, reads the value and sends the data encrypted via UDP to a collection server.

CCB

Conference Call Bingo

A fun game to play while on a Conference Call.

Datapower XML to JSON

Gateway script to convert XML to JSON

A Really simple gateway script to be used on a IBM Datapower to convert XML to JSON using built in Datapower functions.

Languages

I primarily write GO / Golang day to day and shell scripting. I have experience with the below languages:

Programming Languages

Markup Languages

Skills

Pentesting:

Tools / Software:

IBM Specific:

Operating Systems:

Clouds

Qualifications

Certifications

Awards

Contact

Click here to decode